Table of contents
Verify your VPS has been hacked8 steps to takeNext stepsAdditional resources
Get the industry’s fastest, most secure VPS hosting ◦ 99.99% uptime
◦ Comprehensive security
◦ 24/7 support
Explore VPS

VPS → Hacked?

VPS hacked? What to do next

A virtual private server is a very secure hosting solution if you’ve taken necessary precautions and your hosting provider is doing their part.

But that doesn’t always happen, and in those cases a VPS can be hacked. Learn how to verify that your VPS has been breached, and how to secure it, if it has.

Get premium VPS hosting

High-performance VPS hosting that delivers unrivaled power

Explore VPS hosting

How to verify your VPS has been hacked

If you think your VPS has been hacked, it’s important to check for signs of unauthorized access or suspicious activity.

Look for unusual system behavior

One of the first signs of a hacked VPS is that your server might be running slower than usual or behaving strangely. If your website is lagging, crashing, or using more resources than normal, this could mean that a hacker has installed a malicious program that is consuming your server’s power.

Watch out for unexplained reboots as well, which could indicate that someone else has access to your system.

Check for unauthorized access

If a hacker has broken into your VPS, there may be signs of unusual login activity. Look at your server logs to see if there have been any logins from locations or IP addresses that you don’t recognize.

Also, check if any new user accounts have been created on your server. If you find an account that you didn’t create, this is a strong sign that your VPS has been compromised.

Hackers also sometimes add their own SSH keys (which are used for remote access) so they can log in whenever they want without needing a password.

Inspect files for unexpected changes

If an attacker has gained access to your VPS, they may have modified or added new files. Check to see if any important system files have been recently changed.

Pay special attention to configuration files, as hackers often modify them to give themselves persistent access. Also, review your scheduled tasks (often called “cron jobs” on Linux servers) to see if any unknown scripts are being run automatically.

Look for suspicious programs or processes

Once inside a server, hackers may install malicious software to carry out activities such as sending spam emails, launching attacks on other systems, or mining cryptocurrency.

To detect this, you can check which programs are running in the background. If there are any processes that you don’t recognize or that are using a lot of resources, it could mean your VPS has been hijacked.

Monitor network activity

A compromised VPS might be secretly connecting to unknown servers on the internet. Hackers sometimes use infected servers to send stolen data or act as part of a botnet. Check which connections your VPS is making and look for any suspicious activity, such as unexpected outbound connections to foreign IP addresses.

Check security and web logs

Most servers keep logs that record security-related events. By reviewing these logs, you may find evidence of failed login attempts, unauthorized file changes, or attempts to install new software. If you’re running a website on your VPS, you should also check your web server logs for any unusual activity, such as repeated access attempts from the same unknown IP address.

Scan for malware and rootkits

Hackers often install malware (malicious software) or rootkits (stealthy programs designed to hide unauthorized activity) on compromised servers.

To detect these threats, you can use security scanning tools, such as Imunify360 Plus, that will search your VPS for known malware. Some tools can also look for hidden programs that might be running without your knowledge.

What to if your VPS has been hacked

If you’ve confirmed that your VPS has been hacked, you need to act quickly to contain the damage and restore security. Here’s a step-by-step guide on what to do:

1. Disconnect your VPS from the internet (if possible)

To prevent further damage, temporarily disable network access if you can. This stops the hacker from doing more harm while you investigate and clean up.

If you can’t take the VPS offline, at least block external access by disabling SSH and other remote login methods.

2. Identify the extent of the breach

Try to determine what the hacker has done.

  • Check for unauthorized users: Look for new user accounts that you didn’t create.
  • Review log files: Check login records and file modifications to see what was accessed or changed.
  • Inspect running processes: Look for unusual or resource-heavy processes that could be running malicious scripts.
  • Monitor outgoing traffic: If your VPS has been hacked, it may be sending data to an external server.

3. Reset all passwords and remove unauthorized access

Change passwords for everything, including:

  • Your root/admin account
  • Any user accounts on the VPS
  • Your VPS control panel (if you use one)
  • Your database and application passwords
  • Your SSH keys (if you use key-based authentication)

If you find unauthorized SSH keys in your server, remove them immediately.

4. Back up important data (carefully)

If your VPS contains important files or website data, back them up before making major changes. However, be cautious—if the hacker has modified or infected files, backing them up could mean saving compromised data. If possible, only back up clean files.

5. Restore from a clean backup (if available)

Restoring your VPS from a recent, clean backup from before the hack is the safest way to get your VPS back to a working state. Make sure your backup is malware-free before restoring.

6. Reinstall the operating system (if needed)

If you can’t fully clean the server, the best way to ensure the hacker is gone is to completely reinstall the operating system.

  • If you use a control panel (like cPanel or Plesk), check if your hosting provider offers an OS reinstall option.
  • After reinstalling, update everything (operating system, web server, database software, etc.) before restoring your website.

7. Secure your VPS to prevent future attacks

After recovering from the hack, take steps to harden your server security to prevent future VPS hacks:

  • Keep software updated: Regularly update your VPS, web applications, and plugins to patch vulnerabilities.
  • Use a firewall: Block unnecessary ports and limit SSH access to your IP or a small range of trusted IPs.
  • Enable two-factor authentication (2FA): If your hosting provider offers 2FA, enable it for added security.
  • Set up automatic security monitoring: Install security tools to detect suspicious activity early.
  • Disable unnecessary services: If your VPS is running services you don’t use, turn them off to reduce the attack surface.
  • Regularly back up your data: Store backups in a separate, secure location so you can recover quickly in case of another attack.

It’s also important to work with a reputable VPS hosting provider. At the very least, your server is only as secure as your hosting provider enables it to be. At best, a good VPS host will offer a range of security, monitoring, and backup features and services.

8. Monitor your VPS for suspicious activity

Even after securing your VPS, keep an eye on it for signs of future attacks. Review logs regularly, check for unauthorized logins, and set up alerts for unusual activity.

Additional resources

VPS: A beginner’s guide →

A complete beginner’s guide to virtual private servers

Managed VPS vs unmanaged VPS hosting →

What’s the difference and which is right for you?

20 VPS security tips →

Expert insights to build a resilient, secure server environment

Luke Cavanagh

Luke Cavanagh, Strategic Support & Accelerant at Liquid Web, is one of the company’s most seasoned subject matter experts, focusing on web hosting, digital marketing, and ecommerce. He is dedicated to educating readers on the latest trends and advancements in technology and digital infrastructure.